Wednesday, January 5, 2011

Renew self signed certificates for VMware and SRM

After my ssl certificates expired for virtual center, we decided (with Shane Kleirnet) to renew our main virtual center certificate with a Microsoft CA signed certificate. It made sense to do it as Citrix will be accessing virtual center in our VDI test environment.

After renewing the certificate, well, I noticed that SRM was not connecting between sites. My DR site is configured with self signed certificates, it has been in production for less than a year. What I realized after researching extensively, one can not have self singed and the other CA signed for SRM to work.

These are the steps I used to fix the issue after many many many hours of trial and error. My SRM installation are installed in the same machine as VC.

I started by trying to configured my DR VC with the same type of certificate as the main VC site. It will work with couple of configurations posted below. My problem was that my Certificate Authority (CA) server is running windows 2008 standard and not enterprise. On the step to create a copy of a certificate template, windows 2008 standard will allow you to do so and configure it but it will not allow you to publish it. What a road block!!!!

This is what i did to resolve my issue. I decided to forget about CA signed certificate. Self sign is secure enough for my environment. Alternative names in your certificates are necessary only if you are using CA signed certificates. By the way, if someone says to repair VC, don't waist your time as VC 3 or 4 does not have a repair option. :( Also make sure you have a good backup of your system (you never know!!!) Please take a look at the steps below of how I did it.

Self Signed:

1. Locate the rui.key file on the VirtualCenter Server system.

Note: On versions of Windows prior to Windows Server 2008, this location is C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL. On Windows Server 2008, this location is C:\ProgramData\VMware\VMware VirtualCenter\SSL. Rename the ssl folder and create in the same location a new ssl folder.

2. Download openssl from and install it on c:\  
3. Turn off HA in virtual center and disconnect all hosts in main VC site.
4. Navigate in cmd prompt to openssl bin directory
5. copy the file rui.key located in the renamed folder in step 1 to the bin directory in openssl
6. run the following command and make sure you use the FQDN name of your server:

openssl.exe req -new -x509 -days 3650 -md5 -nodes -key rui.key -out rui.crt -subj "/C=US/ST=CA/L=HAWTHORNE/CN=vcenter name"
7. then run the next command:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
8. Now copy the 2 new files and the .key file from the bin directory to the ssl folder you created in step 1.
9. Restart the Virtual Center services and open your virtual center. Open the certificate and take a look at the details and close client.
10. Browse to the install directory of SRM (C:\Program Files\VMware\VMware vCenter Site Recovery Manager\bin) win 2008 will have a different path. Look for the bin folder and move the certificate that you see inside or rename but make sure does not exist in the directory.
11. Open control panel and start a repair of SRM
12. When asked for user name, choose domainname\username  (this is important)
13. When asked for database user name, provide account. You could also test the connection in ODBC if you wish
14. when asked for what type of certificate, choose the first option to create a new cert and continue.
15. Wait until the repair finishes. It may take couple of minutes.
16. Now open client again, open SRM and you should be OK on this site. Do not try to reconnect to the other side as you must do the same steps on DR VC.
17. Follow the same steps in DR

18. Now try connecting-linking both sites, make sure you use domainname\username to login.
19. you will get warnings about certificate, ignore them but make sure you install the certificates inside the Trusted Root and Personal folders. (you will get the warning twice per site, one for the VC cert and the other for the SRM cert)

The following are the steps if you need to install Certificates with Microsoft CA. Make sure your CA server is enterprise server, if not it will NOT work. The following were taken from the following link:

Re: Replace SRM certificates with Windows 2008 CA Certs
After spending hours trying to get SRM to accept the Certs I was creating using my Microsoft CA; I have come up with the following steps:

When creating Certificates for vCenter you need to make sure you create them exactly the same.  So the Subject in the Cert should read like the following:

CN =
OU = Department Name
O = Company Name
L = City
S = State (Full State name)
C = Country (Two letter Abrevation)

Now when creating your SRM certificate you have to use both Server Authentication and Client Authentication,  You can create special Certificate Template for that on your certificate Authority server.   The following link describes how to complete this step:

Microsoft Certificate Template

Now when creating the Certificates for SRM you need to have the following subject in the cert:

OU = Department Name (same as vcenter certificate)
O = Company Name (same as vcenter certificate)
L = City (same as vcenter certificate)
S = State (same as vcenter certificate)
C = Country (same as vcenter certificate)

Now comes the part that I struggled with with the most,  SRM requires you to have a subject alternative name for your certificate that is the FQDN for the server you are creating the certificate for; But if you have multiple Subject Alternative names for your Virtual Center cert using FQDN and host name then you need to do the same for SRM:  For an example:

If you miss this step SRM will not validate your certificate.

Here is a couple of articles that I found help when working through this issue:

replacing virtual center certificate

How to add subject alternative name


Marchionni, Enzo said...

Fabricio, muy bueno el artículo. Cuando figura la línea:
"/C=US/ST=CA/L=HAWTHORNE/CN=vcenter name"

esto es para cualquiera? que se debería reemplazar?
Estoy tratando de reemplazar los certificados pero no me queda claro como crear el nuevo template de Microsoft CA. Tenes alguna documentación al respecto? Algún contacto con algún especialista?
Agradecería cualquier ayuda

Jimmy Jarred said...

Great explanation. I will do consider all the guidelines and points you have listed. The process appears to be complex and clumsy but this article helped me a lot.
digital certificates